0

I'm trying to run the gitlab-ce docker image and am having issues with permission being denied for secrets_helper.rb. The following is pulled from the startup logs:

================================================================================
Recipe Compile Error in /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb
================================================================================

Errno::EPERM
------------
Operation not permitted @ rb_file_chmod - /etc/gitlab/gitlab-secrets.json

Cookbook Trace:
---------------
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:121:in `chmod'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:121:in `block in write_to_gitlab_secrets'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:119:in `open'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:119:in `write_to_gitlab_secrets'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/settings_helper.rb:163:in `generate_secrets'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/settings_helper.rb:167:in `generate_config'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/config.rb:26:in `from_file'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb:26:in `from_file'

Relevant File Content:
----------------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:

There was an error running gitlab-ctl reconfigure:

Operation not permitted @ rb_file_chmod - /etc/gitlab/gitlab-secrets.json

114:  
115:    def self.write_to_gitlab_secrets
116:      secret_tokens = gather_gitlab_secrets
117:  
118:      if File.directory?('/etc/gitlab')
119:        File.open('/etc/gitlab/gitlab-secrets.json', 'w', 0600) do |f|
120:          f.puts(Chef::JSONCompat.to_json_pretty(secret_tokens))
121>>         f.chmod(0600)
122:        end
123:      end
124:  
125:      nil
126:    end
127:  end
128:

I've created the container with the following:

docker run --detach \
  --hostname domain.name.com \
  --publish 4443:443 \
  --publish 4080:80 \
  --publish 4022:22 \
  --name gitlab \
  --restart always \
  --volume /mnt/nfs-1/gitlab/config:/etc/gitlab \
  --volume /mnt/nfs-1/gitlab/logs:/var/log/gitlab \
  --volume /mnt/nfs-1/gitlab/data:/var/opt/gitlab \
  gitlab/gitlab-ce:latest

Permissions look like the following:

/mnt Rancher /mnt

/mnt/nfs-1

drwxrwx---    5 1020     1020             5 Jun  2 23:13 gitlab

/mnt/nfs-1/gitlab

drwxrwx---    2 1020     1020            10 Jun  2 23:15 config
drwxrwx---    2 1020     1020             2 Jun  2 23:13 data
drwxrwx---    4 1020     1020             4 Jun  2 23:15 logs

The /mnt/nfs-1 is an NFS share that's setup with rancher's config.

# /var/lib/rancher/conf/cloud-config.d/nfs.yml

rancher:
  services:
    nfs:
      image: walkerk1980/rancher-nfs-client
      labels:
        io.rancher.os.after: console, preload-user-images
        io.rancher.os.scope: system
      net: host
      privileged: true
      restart: always
      volumes:
      - /usr/bin/iptables:/sbin/iptables:ro
      - /mnt/nfs-1:/mnt/nfs-1:shared
      environment:
        SERVER: nas.stark.local
        SHARE: /mnt/pool/data_set
        MOUNT_OPTIONS: rw,noatime,nolock,soft,_netdev,auto

The NFS file share (in FreeNAS) looks like this:

FreeNAS Permissions NFS

However, the solution there didn't work for me and I'm not quite sure where the git user exists. I'd assume that it exists in the running image.

I also tried to downgrade/upgrade/different versions/ee edition with the same problem so I'm under the assumption it has something to do with the volumes?

External Resources

Nate-Wilkins
  • 5,364
  • 4
  • 46
  • 61
  • 1
    The nfs folders on server should have the permissions allowing read/write to whenever user the container is using. – Hector Vido Jun 02 '21 at 23:50
  • @HectorVido do you happen to know what those would look like? I'll also include the file permissions here. – Nate-Wilkins Jun 02 '21 at 23:53
  • 1
    If this folders on `/mnt` come from a nfs **server**, you need to fix permissions on nfs **server**. To see exactly what permissions you need, just remove this volumes, use a "docker managed one" like `--volume gitlab_config:/etc/gitlab`, access the container and list the files. – Hector Vido Jun 03 '21 at 00:01
  • That makes sense. I'll add the rancher config file here too which is whats setting up the nfs file share. And look into updating the permissions for that. Thanks for the help! – Nate-Wilkins Jun 03 '21 at 00:08
  • Just added the NFS file share (hosted in FreeNas) too. However, whats weird here is that it seems like its writable. – Nate-Wilkins Jun 03 '21 at 00:24
  • :/ sorry, don't know how to solve. – Hector Vido Jun 03 '21 at 01:54
  • Its okay, really appreciate the help! And it put me in a new direction too. Thanks again! – Nate-Wilkins Jun 03 '21 at 02:21
  • For anyone that might stumble upon this. I bypassed the issue entirely by not using the nfs share. I don't know how to get this to work when the calling application whats to change file permissions & owner on the nfs. – Nate-Wilkins Jun 23 '21 at 17:45

0 Answers0